Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110921135053.GA12347@openwall.com>
Date: Wed, 21 Sep 2011 17:50:53 +0400
From: Solar Designer <solar@...nwall.com>
To: john-dev@...ts.openwall.com
Subject: Re: 1.7.8-jumbo-6-RC* on Mac OS X

Jim -

On Wed, Sep 21, 2011 at 05:25:12PM +0400, Solar Designer wrote:
> Your md5_gen code is complicated, so I think I'll leave further
> investigation to you.  What I found out is that Setup->pConstants is
> sometimes NULL and sometimes a non-NULL invalid pointer.

After some playing with gcc options, I am now getting Setup->pFuncs of
NULL, so md5_gen_SETUP() crashes sooner. %-)

It is an uninitialized value if we trust gdb's hardware-assisted
watchpoints.  I set two of them: on write and on read.  Only the read
one was triggered, on the NULL read right before the place where
md5_gen_SETUP() crashes.

(gdb) watch *0xc3004
Hardware watchpoint 1: *798724
(gdb) rwatch *0xc3004
Hardware read watchpoint 2: *798724
(gdb) r
Starting program: /Users/user/john/john-1.7.8-jumbo-6-RC6/run/john 
Reading symbols for shared libraries +++++. done
Hardware watchpoint 1: *798724
Hardware read watchpoint 2: *798724
md5_gen_SETUP: 0xc3000
md5_gen_SETUP: 0xc3000
Hardware read watchpoint 2: *798724

Value = 0
0x0001f3f2 in md5_gen_SETUP ()
(gdb) disass $pc-20 $pc+20
Dump of assembler code from 0x1f3de to 0x1f406:
0x0001f3de <md5_gen_SETUP+94>:  mov    -0x5c(%ebp),%eax
0x0001f3e1 <md5_gen_SETUP+97>:  mov    %eax,0x4(%esp)
0x0001f3e5 <md5_gen_SETUP+101>: mov    (%edi),%eax
0x0001f3e7 <md5_gen_SETUP+103>: mov    %eax,(%esp)
0x0001f3ea <md5_gen_SETUP+106>: call   0x1f5485 <dyld_stub_fprintf>
0x0001f3ef <md5_gen_SETUP+111>: mov    0x4(%esi),%eax
0x0001f3f2 <md5_gen_SETUP+114>: lea    -0x5b(%ebx),%edx
0x0001f3f8 <md5_gen_SETUP+120>: mov    %edx,-0x54(%ebp)
0x0001f3fb <md5_gen_SETUP+123>: cmp    %edx,(%eax)
0x0001f3fd <md5_gen_SETUP+125>: je     0x205d2 <md5_gen_SETUP+4690>
0x0001f403 <md5_gen_SETUP+131>: lea    -0x4b(%ebx),%ecx
End of assembler dump.

%esi is Setup, 0x4(%esi) is &Setup->pFuncs

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.